Shouldn't 'commercial grade' firewalls support SIP/RTP? I know cisco firewalls doing SIP and NAT traversal very well.
Klaus
-----Original Message----- From: Hans Eriksson [mailto:hansa@mac.com] Sent: Thursday, December 04, 2003 6:13 PM To: Klaus Darilion Cc: serusers@lists.iptel.org Subject: Re: [Serusers] symmetric nat/ broadband routers
Klaus,
Many commersial grade firewalls do not keep sessions alive, regardsless of external pings, so it won't work in rather too many cases.
Also, assuming many users (10k, 100k) doing natpings will be heavy.
But alas, NATs are a hack and maybe the only remedies will also be hacks, with all the pros and cons.
cheers /hans
4 dec 2003 kl. 17.43 skrev Klaus Darilion:
Yes, the ports at the client are identical, but the NAT router uses other ports at the public interface, e.g. if the client
behind the NAT
uses port 5060 for SIP (send&receive), the NATs publice
interface may
user for example port 50000. Therefore, the client listen
on port 5060,
but the packets have to be sent to port 50000 of the public
IP address
and then the NAT router rewrites the port back to 5060. Hence, the nathelper modules rewrites the IP address and the port in
the contact
header before saving them in the location database.
If the session in the NAT router times out although using natping, thats a pit. Maybe it helps to ping the proxy from the client, e.g. the budgetone phones support keep alive pinging.
Klaus